指定 ip:port 组合#

tcpdump -i lo -n -vvvv -A  "((dst port 22 and dst or (src port 22 and src"

# 思考,和这个一样吗: tcpdump -i lo 'host and port 22'

指定 port#

# 对外的连接 tcp port
tcpdump -i eth0 -n -vvvv -A  "((src portrange 20000-65535 and src $ETH0_IP) or (dst portrange 20000-65535 and dst $ETH0_IP))"

根据 RST FIN SYN 过滤#

# Show all RST packets:
tcpdump -i eth0 'tcp[13] & 4 != 0'
tcpdump -i eth0 "tcp[tcpflags] & (tcp-rst) != 0"

# Show all FIN packets:
tcpdump -i eth0 'tcp[13] & 1 != 0'
tcpdump -i eth0 "tcp[tcpflags] & (tcp-fin) != 0"

# Show all SYN packets:
tcpdump -i eth0 'tcp[13] & 2 != 0'
tcpdump -i eth0 "tcp[tcpflags] & (tcp-syn) != 0"

# Show all SYN/FIN/RST packets:
tcpdump -i eth0 "tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0"
export MY_IP= #update it

$ip route get $MY_IP
# via dev eth3 src uid 1001
#    cache 
export INTERFACE=eth3 #update it by above output

sudo tcpdump -i $INTERFACE -c 9999 -w /tmp/tcpdump.pcap  "host $MY_IP and (tcp[13] & 1 != 0 or tcp[13] & 4 != 0 or tcp[13] & 2 != 0) " #only capture RST or FIN or SYN

subnet 过滤#

可以用 subnet/CIDR 过滤数据包。使用 CIDR 时需要注意,有时 copy 过来的 CIDR 不一定是规范的格式,如:

首先,看看 kubernetes cluster 的 pod 的 cidr 范围:

ps -ef | grep cidr
root      48587  20177  0 Dec08 ?        00:21:25 kube-controller-manager ... --cluster-cidr= ...--service-cluster-ip-range= ...


$ sudo tcpdump -i br0 -vvvv -A  net
tcpdump: non-network bits set in ""

发现,tcpdump 对 cidr 的格式要求比较严格,要求用首个可用 ip 段。使用 分析出 的首个可用 ip 为,固:

sudo tcpdump -i br0 -vvvv -A  net

抓取的 packet 大小限制#

By default most newer implementations of tcpdump will capture 65535 bytes, however in some situations you may not want to capture the default packet length. You can use -s to specify the “snaplen” or “snapshot length” that you want tcpdump to capture.

       -s snaplen
              Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes.  Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at  which  the  truncation
              has occurred.

              Note  that  taking  larger  snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering.  This may cause packets to be lost.  Note also that taking smaller snapshots will discard data
              from protocols above the transport layer, which loses information that may be important.  NFS and AFS requests and replies, for example, are very large, and much of the detail won't be available if a too-short snapshot length is selected.

              If you need to reduce the snapshot size below the default, you should limit snaplen to the smallest number that will capture the protocol information you're interested in.  Setting snaplen to 0 sets it to the default of 262144, for backwards  compatibility with recent older versions of tcpdump.

Older versions of tcpdump truncate packets to 68 or 96 bytes. If this is the case, use -s to capture full-sized packets:

$ tcpdump -i <interface> -s 65535 -w <file>


抓包 位置与 iptable/netfilter/conntrack 的关系#

tcpdump 的抓包点。因为,这个点影响了,tcpdump 的过滤条件与输出。主要是这个点与 iptablesredirect 规则生效的前后问题。

tcpdump capture pinpoint:

tcpdump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it.

As a matter of fact, tcpdump is the first software found after the wire (and the NIC, if you will) on the way IN, and the last one on the way OUT.

  • Wire -> NIC -> tcpdump -> netfilter/iptables

  • iptables -> tcpdump -> NIC -> Wire


本地 IP 变量#

export ETH0_IP=$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)
export LOCAL_IP=$(ip addr show lo | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)